Working to remove 'leaving secure site' redirect page from Spring Boot project

Author: plup2

gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/component/BaseUtil.java

@@ -8,7 +8,7 @@
 import goc.webtemplate.Constants;
 
 public final class BaseUtil {
-	public static void doLeaveSecureSite(HttpServletRequest req, HttpServletResponse res) throws Exception {
+	public static void doLeaveSecureSite(HttpServletRequest req, HttpServletResponse res) throws Exception { //TODO: Remove this once no longer referenced
 		String redirectUrl = URLDecoder.decode(req.getParameter("targetUrl"), "UTF-8");
 		res.sendRedirect(redirectUrl);
 	}
@@ -24,6 +24,10 @@ public static void doLocaleSwitch(HttpServletRequest req, HttpServletResponse re
 		}
 
 		String prevUrl = URLDecoder.decode(req.getParameter(Constants.QUERYSTRING_KEY), "UTF-8");
+
+		// Validate that the redirect link is relative to the host and NOT absolute or relative to scheme
+		if ((!prevUrl.startsWith("/")) || prevUrl.startsWith("//")) throw new Exception("Unauthorized return URL specified for language switching.");
+
 		res.sendRedirect(prevUrl);
 	}
 

gocwebtemplate-core/gocwebtemplate-core-base/src/main/java/goc/webtemplate/component/jsonentities/SetupBase.java

@@ -5,7 +5,6 @@
 import java.util.List;
 
 import goc.webtemplate.LeavingSecureSiteWarning;
-import goc.webtemplate.Utility;
 import goc.webtemplate.WebAnalyticsInfo;
 
 /**
@@ -39,7 +38,7 @@ public SetupBase(String subTheme, String jqueryEnv, LeavingSecureSiteWarning lss
         this.subTheme = subTheme;
         this.jqueryEnv = jqueryEnv;
         this.exitSecureSite = null;
-        if ((lssw != null) && lssw.isEnabled() && !Utility.isNullOrEmpty(lssw.getRedirectUrl())) {
+        if ((lssw != null) && lssw.isEnabled()) {
             this.exitSecureSite = new ExitSecureSite(lssw);
         }
         this.webAnalytics = webAnalytics;

gocwebtemplate-core/gocwebtemplate-core-spring/src/main/java/goc/webtemplate/component/spring/BaseCoreBean.java

@@ -35,7 +35,7 @@ protected String getDefaultLanguageLinkUrl() {
 
     @Override
     protected String getDefaultLeaveSecureSiteRedirectUrl() {
-        return "gocwebtemplate_leavesecuresiteredirect";
+        return null;
     }
 
     @Override

gocwebtemplate-core/gocwebtemplate-core-spring/src/main/java/goc/webtemplate/component/spring/controller/CoreController.java

@@ -10,15 +10,8 @@
 
 @Controller
 public class CoreController {
-	
 	@GetMapping("/gocwebtemplate_switchlocale")
 	public void SwitchLocale(HttpServletRequest request, HttpServletResponse response) throws Exception {
 		BaseUtil.doLocaleSwitch(request, response);
 	}	
-	
-	@GetMapping("/gocwebtemplate_leavesecuresiteredirect")
-	public void LeaveSecureSiteRedirect(HttpServletRequest request, HttpServletResponse response) throws Exception {
-		//Custom processing would go here
-		BaseUtil.doLeaveSecureSite(request, response);
-	}
 }

gocwebtemplate-sample-spring/src/main/java/goc/webtemplate/spring/samplebeans/LeavingSecureSiteSampleBean.java

@@ -14,7 +14,6 @@ public void onWebTemplateInitialize() {
 
         lssw.setEnabled(true);
         lssw.setMessage("You are about to leave a secure site, do you wish to continue?");
-        lssw.setRedirectUrl("gocwebtemplate_leavesecuresiteredirect");
         lssw.setExcludedDomains("www.esdc.gc.ca,www.jobbank.gc.ca,www.readseal.ca");
         lssw.setCancelMessage("Don't leave");
         lssw.setYesMessage("Yes, leave this site");

gocwebtemplate-sample-spring/src/main/resources/samples/LeavingSecureSiteSample.html

@@ -20,8 +20,8 @@ <h2>Leaving Secure Site Warning</h2>
 	    <ul>
 	        <li>display the message to the user in the form of a modal window</li>
 	        <li>display the message your application provides</li>
-	        <li>allow your application to execute any clean up code (ex: close session, gracefully logout user etc...)</li>
-	        <li>allow your application to exlude any domains from raising the warning</li>
+            <li>allow your application to exlude any domains from raising the warning</li>
+	        <li>optionally, allow your application to execute any clean up code (ex: close session, gracefully logout user etc...)</li>
 	    </ul>
 	    <h2>How it works</h2>
 	    <ul>
@@ -32,16 +32,11 @@ <h2>How it works</h2>
 	                <li>A "Yes" button appears on the window to allow the user to continue with the redirection to the selected link.</li>
 	            </ul>
         	</li>
-        	<li>if the "Yes" button is clicked:
-	            <ul>
-	                <li>the user will first be redirect to the url set in <code class="wb-prettify">"leavingSecureSiteRedirectUrl"</code> via either the cdn.properties file or programmatically</li>
-	                <li>the info of the linked that was clicked is part of the querystring to that url</li>
-	                <li>in the redirect url provided earlier, attach the preRenderView event to the page and execute a custom bean method to perform the redirect</li>
-	                <li>execute any clean up code your application requires</li>
-	                <li>once executed the custom method will redirect the user to the url of the clicked link</li>
-	                <li>the leave secure site feature is already provided by default as part of the GoC Web Template package</li>
-	                <li>by default the leave secure site redirect url will invoke the <code class="wb-prettify">LeaveSecureSiteRedirect</code> method found in the controller.</li>
-	            </ul>
+        	<li>if the "Yes" button is clicked, the browser will be directed to the external link</li>
+        	<li>optionally, a redirect url can be set in <code class="wb-prettify">"leavingSecureSiteRedirectUrl"</code> via either the cdn.properties file or programmatically.
+        	    If this is used, the browser will be directed to this page before leaving, where the application can terminate the user's session and let them proceed to the external link.
+        	    The external link will be presented to the user by placing an element <code class="wb-prettify">&lt;span class="wb-exitscript wb-exitscript-exiturlparam"&gt;&lt;/span&gt;</code> on the page.
+        	    An example of "middle page" is available in the <a href="https://wet-boew.github.io/wet-boew/docs/ref/exitscript/exiturl-en.html?exturl=http%3A%2F%2Fcsszengarden.com%2F219">WET Documentation</a>.
 	        </li>
 	    </ul>
 	    <p>Here is a local link that will not display the warning: <a href="BaseSettingsSample">Link to Local Page</a></p>
@@ -51,7 +46,6 @@ <h3>Enable the leaving secure site feature</h3>
 	    <ul>
 	        <li>Set, via the cdn.properties file or programmatically in your custom bean class, <code class="wb-prettify">"Enabled"</code> to <strong>"true"</strong></li>
 	        <li>Provide the message to be displayed by setting the <code class="wb-prettify">"Message"</code> programmatically via the <code class="wb-prettify">setLeavingSecureSiteWarning</code> method in your custom bean class.</li>
-	        <li>Set, via the cdn.properties file or programmatically in your custom bean class, <code class="wb-prettify">"RedirectUrl"</code> to your page which will execute your clean up code and then redirect to the selected url.</li>
 	        <li>Set, via the cdn.properties or programmatically in your custom bean class, <code class="wb-prettify">"ExcludedDomain"</code> the list of domains you do not want to raise the warning</li>
 	    </ul>
 	    <div class="wb-prettify all-pre lang-vb linenums">
@@ -63,7 +57,6 @@ <h3>Enable the leaving secure site feature</h3>
 
     lssw.setEnabled(true);
     lssw.setMessage("You are about to leave a secure site, do you wish to continue?");
-    lssw.setRedirectUrl("gocwebtemplate_leavesecuresiteredirect");
     lssw.setExcludedDomains("www.esdc.gc.ca,www.jobbank.gc.ca,www.readseal.ca");
     lssw.setCancelMessage("Don't leave");
     lssw.setYesMessage("Yes, leave this site");
@@ -74,20 +67,6 @@ <h3>Enable the leaving secure site feature</h3>
 }
         </pre>
     	</div>
-	    <h3>Map your "redirect" url in the controller</h3>
-	    <ul>
-	        <li>The relative url <code class="wb-prettify">/gocwebtemplate_leavesecuresiteredirect</code> will map to the method that can be used to perform the redirect.</li>
-	    </ul>
-	    <div class="wb-prettify all-pre lang-vb linenums">
-	        <h4>Code Sample for your Redirect Controller method</h4>
-	        <pre>
-@GetMapping("/gocwebtemplate_leavesecuresiteredirect")
-public void LeaveSecureSiteRedirect(HttpServletRequest request, HttpServletResponse response) throws Exception {
-	//Custom processing would go here
-	BaseUtil.doLeaveSecureSite(request, response);
-}
-	        </pre>
-	     </div>
 	<div th:replace="_samplelist :: samplelist"></div>
 </section> 
 </body>